Where exactly did you read this? There is no doubt WPA2 is more secure then WPA. I would argue that WPA Enterprise is an entirely different authentication model then WPA
–
RamhoundMay 12 '13 at 9:26

You don't have to argue, it is. WPA2 Personal uses Preshared Keys. That means you have to know the key and it can be shared amongst users. With enterprise, you have to have an account on a back end RADIUS server. This means that you have to have a username and password to gain access to the Wireless network.
–
Jason HMay 13 '13 at 12:00

5 Answers
5

The PSK variants of WPA and WPA2 uses a 256-bit key derived from a password for authentication.

The Enterprise variants of WPA and WPA2, also known as 802.1x uses a RADIUS server for authentication purposes. Authentication is achieved using variants of the EAP protocol. This is a more complex but more secure setup.

The key difference between WPA and WPA2 is the encryption protocol used. WPA uses the TKIP protocol whilst WPA2 introduces suport for the CCMP protocol.

So when using a RADIUS server, an EAP protocol will be used instead of TKIP or CCMP?
–
user12199May 12 '13 at 8:46

2

@Unw0und No, EAP is an authentication protocol while TKIP and CCMP is an encryption protocol.
–
Terry ChiaMay 12 '13 at 8:50

3

This answer isn't very informative. How is EAP “more secure”? Does it protect against more threats, or provide greater strength against brute force? What difference does TKIP vs CCMP make?
–
GillesMay 12 '13 at 11:48

3

EAP is more secure because the keying material is unique and created between client and AP rather than generated based on a known value (PSK). In personal mode, the keying material is generated based off a known value (the PSK) and anyone with that known value is able to capture the key negotiation and therefore decrypt all the resulting traffic. Additionally, with EAP, the keying material can be changed during the session, making it more secure.
–
YLearnMay 13 '13 at 2:30

WPA2 is more secure than WPA as explained by Terry. You just need to understand the difference between personal (pre shared key) and enterprise versions of both the protocols.

The personal version is where all the users share a secret password that is configured in the access point. In the enterprise version there is a central authentication server and all the users have different sets of credentials that they use in order to access WiFi. So basically there is no single shared password.

Say you have 10 users.
In PSK mode all 10 users are using the same passphrase to generate the same key. Therefore, the likelyhood of capturing traffic and analyzing it to find the key is higher with so much traffic, and that key will be good until all 10 users agree to change the passphrase (and therefore the key)

If those same 10 users use their own username and password to log in to an enterprise WiFi network, each user authenticates to the RADIUS server, which then generates a key for their session and hands that to the AP to use with their client.

Therefore the traffic with the same key is only one users traffic, so it is 1/10th as much data to work with, and the key will change the next time the user logs in. The password the user authenticates with may stay the same, but the key that that generates is unique to each session. Combined with good password habits, WPA enterprise is better. Also, individual users access can be revoked at any time without affecting other users.

There are lots of terms being mixed here.
WPA2 is an encryption scheme.The enterprise vs. personal refer to the authentication scheme but not the encryption scheme. The authentication scheme basically verifies your identity to the network owner before you are allowed to send encrypted data.
From an Encryption view point, WPA2-Enterprise and WPA2-Personal have the same 256-bit Encryption algorithm (i believe it is called AES-CCMP). So the difference between them lies in the authentication scheme.
Now, EAP and 802.1x can be thought of as one and the same protocol. They define signalling methods to allow the authentication to happen between (now this is important): the client, the access point and a third entity called the registrar which store the authentication credentials. EAP is used in Personal and Enterprise BUT the key difference is the location and the type of credentials that the registrar requires from the client before agreeing to grant it access to the network. In PERSONAL, it is common for the registrar to reside on the same physical entity as the access point (i.e. wireless router) and the authentication method is usually based on a pre-shared key (e.g. the ones that is pre-programmed with the router when you buy it or the one that the owner of the router would give you when you come to his place). Changing that pre-shared key requires a global update whenever any of the old clients want to access the network again (i.e. you have to tell them that you changed the key and the key is XYZ). In ENTERPRISE the registrar is usually a seperate entity that runs a protocol called RADIUS. It provides more manageability (e.g. pre-shared key for every user, the admin can revoke a key for a particular user, etc..).
Now something really important here (from a security view point), the encryption key (i.e. not the authentication) is derived from the pre-shared key, thus it is easier for someone who has the pre-shared authentical KEY in PERSONAL to recreate the encryption key and thus decrypt the data. In addition, PERSONAL allows for other methods to further simplify the issue of entering pre-shared key such as the push-button (push-button on routher and device at the same time and everything happens seamlessly). This method compromised the security if someone was listening on the channel and shown to be easily breakable (now the term easily is relative!!). Such method is not available in Enterprise. Therefore in summary yes Enterprise is more secure but is also more suited for someone who has the knowlege and resources to install and administer a RADIUS server. Good security is acievable over PERSONAL by choosing a strong pre-shared key and disabling the push-button method on the wireless routher.

The Enterprise (RADIUS/EAP/802.1X) mode of WPA or WPA2 provides the following benefits over using the Personal (Pre-Shared Key or PSK) mode of WPA or WPA2:

Overall it complicates the process of "hacking" the wireless.

Each user can be assigned a unique login credential (username or
password, security certificates, or smartcard) for the Wi-Fi, instead
of a single global password for all.

User-to-user snooping is
prevented, unlike with the Personal mode where connected users can
capture each others traffic, including passwords and session
hijacking.

Enables additional controls (authorizations) such as
Login-Time, allowing you to define the exact days and times users can
login, Called-Station-ID to specify which access points they can
connect through, and Calling-Station-ID to specify which client
devices they can connect from.